The holiday shopping season has already begun! Amazon kicked off the season in early October, with day 1 of Prime Day hitting the largest day of sales in Amazon’s history. Prime members were offered exclusive and early opportunities to save heading into the holidays, and spent over $375 million worldwide, saving $12.5 billion on deals.
Amazon isn’t the only retailer starting early. Yes, you actually did see Walmart’s commercial, Holiday Kickoff, offering holiday deals on their website – in the first week of October. In recent years, retail giants like Amazon, Walmart and Target as well as many others have featured discount events well ahead of Black Friday and Cyber Monday.
E-commerce options simplify the holiday shopping madness. For retailers, selling goods online has opened lucrative channels for additional spending that go way beyond customers walking through the doors of a store to purchase. For today’s consumers, they have grown accustomed to shopping online for Black Friday, Cyber Monday, Small Business Saturday, and Super Saturday. You can even order goods from online retailers just hours before Santa arrives.
This year, consumers say they plan to shop early for holiday gifts. The National Retail Federation (NRF) states that consumers are making their lists and checking it twice – budgeting, researching and preparing for their purchases.
Almost half (46%) of consumers started their holiday shopping before November last year, up from 39% in 2019, and this year is shaping up to follow the same trend. In an NRF survey last month, 39% of shoppers said they plan to start shopping earlier than they typically do this holiday season. – NRF
Shopping trends
E-commerce has revolutionized the holiday shopping experience and represents massive growth in just a few short years. Back in 2015, online sales reached $83 billion in the U.S. during November and December and 7.4% of total retail sales worldwide. In 2021, global online retail sales reached over five trillion U.S. dollars, a figure expected to exceed seven trillion U.S. dollars by 2025. While e-commerce accounted for nearly 19 percent of retail sales worldwide, it is predicted that by 2027, it will make up close to a quarter of total global retail sales.
Medallia Market Research’s recent report on holiday consumer spending predicts that, in spite of inflation, 2023 holiday shoppers will spend about as much as they did in 2022 (but on fewer gifts), with e-commerce holiday sales reaching between $278 billion and $284 billion this season, as reported by Deloitte. Online shopping will be the preferred method of shopping for many, as 67% of consumers plan to do at least 40% of their shopping online – with an 11.3% YoY growth in U.S. e-commerce sales, as reported by Insider Intelligence.
With Growth Comes Opportunity
As merchants are preparing for the largest shopping season of the year– so too do holiday scammers. A recent study released by Juniper Research reveals that e-commerce fraud will exceed $48 billion globally in 2023, up from $41 billion in 2022. North America has the highest fraudulent transaction value globally, accounting for over 42% of ecommerce fraud. Shockingly, online payment fraud globally is predicted to exceed $343 billion between now and 2027.
With more than half of all fraud occurring between September and December, and chargeback rates increasing by up to 50% during peak shopping periods, there’s no doubt that holiday credit card fraud is a real threat. But why are the holidays a prime time for hackers to strike?
According to the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), there is a pattern of increased “highly impactful” attacks occurring during and around holidays in the United States. The agencies suggest that cybercriminals strategically target American holidays to breach enterprise networks because they know offices are short-staffed and response times to cyber events are likely to be dramatically reduced. Further, because employees often travel during and around holidays, companies may need to call in third-party experts to handle a breach. The result is more valuable time for hackers to propagate a ransomware attack, for example, as the outside experts take stock of a new network.
Hackers Are Cashing in on the Holidays
Online merchants need to be vigilant against various types of fraud to protect their businesses and customers. Here are some common types of fraud businesses should be aware of during the holiday season and how to avoid the risk of a cyberattack trap.
Phishing Emails
Phishing emails are one of the most common types of cybercrime and continues to be a top complaint received by the Federal Bureau of Investigation (FBI) Internet Crime Complaint Center. Phishing scams have increased year-over-year, with 255 million attacks reported in 2022 – an increase of sixty one percent from 2021.
Many phishing emails seem like they are from legitimate sources and will either request personal information or have links and downloads that will infect your computer with a virus or malicious malware called ransomware. Once your computer is infected, scammers will steal your personal information or hold your computer hostage until you pay them.
New phishing tactics have emerged with the boom of artificial intelligence (AI). Reports have indicated the growth of this threat, discovering over 50 fake AI apps developed deploy phishing attacks to users to capture their personal and payment data.
Recently, the FBI warned companies in the United States to be alert to the risk of dual ransomware attacks, in which the same organization is targeted more than once in quick succession. The FBI recommends companies review their security posture, maintain offline back-ups of critical data, and ensure those back-ups are encrypted.
Friendly Fraud
Friendly fraud, also known as chargeback fraud, refers to a situation in which a consumer makes a legitimate online purchase but later disputes the charge with their payment card provider, leading to a chargeback. Unlike traditional fraud, where a criminal steals a person’s credit card information to make unauthorized purchases, friendly fraud involves a transaction initiated by the legitimate cardholder.
Instead of contacting the merchant directly for a refund, consumers will dispute the transaction with their bank claiming that they didn’t make the purchase, never received the item, or that they sent back an item when they didn’t.
Since card issuers often receive an overwhelming amount of chargeback requests, many will greenlight the request with little to no evidence, passing the damage on to the business.
While not the most well-known form of fraud, holiday chargebacks are the bane of many retailers. A chargeback is meant to protect cardholders by providing them with a way to secure refunds for fraudulent charges. However, fraudsters take advantage of chargebacks by using them to receive refunds for products they don’t return.
By the time chargebacks are fully accounted for 60 to 90 days after the holidays, it is often too late to stop the fraud. The delayed reporting of chargebacks also means that merchants get a distorted picture of their holiday performance, with losses not showing up until weeks or perhaps months later.
Chargebacks continue to show no mercy on merchants, as they are expected to pay over $100 billion in 2023 – an estimated annual growth rate of 1.5%. Friendly fraud is expected to represent 61% of all chargebacks.
Card Testing
Fraudsters use card testing to determine whether stolen credit card information is valid. This information may have been purchased on the Dark Web from a data breach or could have been stolen directly by the fraudster using phishing, ransomware, or other hacking methods.
Once cyber thieves have the stolen information, such as credit card numbers or social security numbers, they will attempt several small purchases on an e-commerce page to see if the credit card is still active. They do this because cards are often stolen weeks or months prior and may have been deactivated by the cardholder or bank.
If the transaction is successful, they can then move on to use that card for bigger purchases on other websites or they can resell that card information to someone else.
Learn more about card testing and what it looks like.
Non-Payment or Non-Delivery Charges
A non-payment scam occurs when goods or services are provided or shipped, but the seller never receives payment. Vice versa, a non-delivery scam takes place when a buyer pays for goods online, but never receives their items.
To avoid falling for these traps, make sure the website you are buying from is legitimate and secure – if it doesn’t have an https in the web address, this means the website is not secure and you should avoid entering your information. If you are the seller, make sure your business processes payments before sending any products.
Distributed Denial of Services (DDoS) Attacks
Another threat for businesses around the holidays is Distributed Denial of Services (DDoS) attacks. A DDoS attack is when the hackers purposefully disrupt the normal traffic of a server, service, or network with a flood of internet traffic so that it cannot operate or communicate properly.
As the global pandemic created more urgency for online operations, this has presented new opportunities for DDoS scams to take place and cyber criminals are taking full advantage. To prevent or help mitigate DDoS attacks you can:
- Increase bandwidth to help handle traffic spikes
- Switch to cloud-based services
- Take advantage of anti-DDoS hardware and software
Fraud Prevention and Detection – The Basics
It is evident that e-commerce sales – along with e-commerce fraud – will continue to grow. Many retailers will struggle with maintaining bandwidth, monitoring fraud, securing mobile shopping platforms, and managing holiday chargebacks. For ultimate credit card protection, it’s important to immediately review your credit card verification processes and fix any issues in advance of the busy holiday rush.
- Use reCAPTCHA to deter bots from testing credit cards
- Use Address Verification (AVS) to ensure cardholder billing addresses match orders
- Require CVV codes on all credit and debit card purchases
- Flag multiple order attempts from the same IP address
- Ensure order addresses and IP addresses are from the same country
- Review your email database for hacked addresses
There are also additional measures that you and your employees can take to help spot online fraud. Be on the lookout for purchases where:
- The shipping address does not match billing address
- The purchaser attempts to circumvent your usual payment process (e.g. sending credit card information via email rather than entering it on your website)
- The order is for an unusually large amount of items
- The purchaser wants items rushed or shipped next day shipping (this is not necessarily suspicious on its own but should be noted if there are other red flags)
- The order is from another country – particularly if you sell items that could be easily obtained in any country
- The customer tries different expiration dates after initial decline
- The customer purchases large amount of the same item
Check out our most common FAQs on fraud, card testing, and preventative tools.
Strategies and Tools to Safeguard Your Checkout from Fraud
Fraudsters will always look for vulnerabilities to steal consumer payment data, and although fraud prevention is not foolproof, there are several strategies you can use to effectively reduce the risk of fraudulent activity. The following steps can help make your checkout process more secure.
- Enable security tools like reCAPTCHA. This service prevents automated bots or scripts from submitting payment forms and requires users to click a checkbox – like asking the users to match words with images in a simple puzzle – if malicious targeting is detected.
- Enabling CVV Verification. Enabling zip code validation, address verification, and CVV on the payment page adds another layer of security. CVVs are harder to compromise than card numbers and expiration dates, so requiring them on your payment form is optimal.
- Implement Transaction Velocity Checks. Merchants can turn on IP blocking rules and configure velocity checks that will automatically block transactions coming from unwanted sources while allowing transactions coming from specific IP addresses. It is recommended that merchants define their own rules to prevent fraudulent transaction attempts.
- Temporarily disable vulnerable forms. If all security protocols put in place still result in a compromise, temporarily disabling a payment form allows the merchant the ability to retain the page for future use without deleting the entire form.
- Verify users prior to displaying payment forms. Validating user sessions or requiring users to log in prior to accessing the payment form helps eliminate access by bad actors attempting card testing or validation of stolen credit cards.
- Use fraud-scoring tools. Bluefin encourages its merchants to learn more about Bluefin’s fraud-scoring tool, where they can leverage state-of-the-art machine learning models and established rules to identify good customers, analyze patterns and data, and highlight risky transactions. Fraud prevention requires analyzing devices, and associated identities transacting across digital channels and monitoring transaction data. Bluefin recommends its merchants adopt a strategy that helps minimize risk and reduce losses caused by card-not-present fraud.
- Bluefin also has various internal monitoring mechanisms through our PayConex™ payment gateway that help detect critical vulnerability indicators like high traffic in a short amount of time with the same attributes, low transaction values, increase in failed authorizations, and specific decline codes.
Finally, it’s imperative that merchants make Personally Identifiable Information (PII), Protected Health Information (PHI), and cardholder data worthless on the web. Take advantage of our ShieldConex™ data security platform, which utilizes both hardware-based encryption and valetless tokenization to secure sensitive data entered online.
Get a Jump Today on Potential Holiday Fraud
As the holiday season picks up, it can become difficult for businesses to track and monitor every instance of fraud. As a result, holiday orders can face less stringent vetting and at peak volume, holiday orders can become harder to vet because sales tend to be abnormal. And while some unusual activity can be reviewed manually, such appraisals can slow down transaction volume. This waiting period can be dangerous when you consider that two thirds of online shoppers may not return after an incorrect fraud assessment.
To reduce chargebacks or the possibility of having your website — and revenue source — shut down by hackers, identify your customers, flag suspicious activity, and use two-factor identification to confirm that customers are who they say they are.
Regardless of what the holidays bring, Bluefin will be with you every step of the way — offering seamless PCI-validated Point-to-Point Encryption (P2PE) technology for POS transactions and ShieldConex® for e-commerce payments. To keep your company safe and secure, contact Bluefin today and learn more about our security solutions.
